Tuesday, December 06, 2005
.php.any file extention PHP execution
on Sun, 04 Dec 2005 22:32:49 -0600, Ron disclosed a possible vulnerability pertaining to Apache+PHP. the scenerio goes as follows:
an attacker is able to upload the file:
possibly bypassing filters which strip out or rejects files with a .php extension.
the next step, is simply visiting the file you uploaded, and if it contained php code it most likely will get executed.
now, the condition is if the extension, in my example ".rar", is not configured in Apache with a proper mime type, then it seems to be executed under the php engine.
so far replies have pointed out the following affected versions:
Apache 1.3.33
Apache 2.0.54
I've personally verified that the issue works on:
Apache/1.3.33 with PHP 4.4.0 (cli) (built: Oct 22 2005 02:27:37)
I plan on doing my research a bit later on in the morning.. to be continued! ¶ 12/06/2005 01:53:00 AM
an attacker is able to upload the file:
example.php.rar (or as it seems, many many many other extensions)
possibly bypassing filters which strip out or rejects files with a .php extension.
the next step, is simply visiting the file you uploaded, and if it contained php code it most likely will get executed.
now, the condition is if the extension, in my example ".rar", is not configured in Apache with a proper mime type, then it seems to be executed under the php engine.
so far replies have pointed out the following affected versions:
Apache 1.3.33
Apache 2.0.54
I've personally verified that the issue works on:
Apache/1.3.33 with PHP 4.4.0 (cli) (built: Oct 22 2005 02:27:37)
I plan on doing my research a bit later on in the morning.. to be continued! ¶ 12/06/2005 01:53:00 AM